<?php
/* FILE: process_edit_item.php
 * DESCRIPTION: Process called when a user presses the Submit Changes button in edit_item.php
 * POST DATA: rating, image_url, attribute data
 * GET DATA: cname (collection name), id (item id)
 */ 
	//Get session
	session_start();
	//Includes
	include('config.inc');
	include('includes/functions.php');
	//Get item id and collection name from url
	$itemId = $_GET['id'];
	$collectionName = $_GET['cname'];
	
	//Check to see if current user is owner of collection
	if(getUID($_GET['cname']) == $_SESSION['user_name'])
	{
		//Query to get the column names for the item
		$attributeQuery =
			"SELECT attribute_name, attribute_type FROM attribute WHERE attribute_collection_name = '"
			. mysql_real_escape_string($collectionName)
			. "' AND attribute_user_id = '"
			. mysql_real_escape_string($_SESSION['user_name'])
			. "' ORDER BY attribute_id;";
		if(!$attributeResult = mysql_query($attributeQuery))
		{
			echo $attributeQuery;
			die("Error getting column data");
		}
		
		//Populate the column array
		for($a = 0; $temp = mysql_fetch_row($attributeResult); $a++)
		{
			$attributeArray[$a] = (string)$temp[0];
			$attributeTypeArray[$a] = (string)$temp[1];
		}
		
		//Query to get the item data
		$itemDataQuery = 
			"SELECT * FROM item I, "
			. mysql_real_escape_string($collectionName)
			. " C WHERE I.item_id = "
			. mysql_real_escape_string($itemId)
			. " AND I.item_id = C."
			. mysql_real_escape_string(removeUID($collectionName))
			. "_item_id AND I.item_user_id = '"
			. mysql_real_escape_string($_SESSION['user_name'])
			. "';";

		//Query for item information	
		if(!$itemDataResult = mysql_query($itemDataQuery))
		{
			echo $itemDataQuery;
			die("Error getting item data");
		}
		
		//Grab data on the row returned by itemDataQuery
		$dataRow = mysql_fetch_row($itemDataResult);
		
		//Populate new data
		for($i = 0; $i < count($_POST); $i++)
		{
			$newData[$i] = (string)$_POST[$i];
		}
		
		//Populate old data
		for($i = 1; $i < count($dataRow); $i++)
		{
			if($i > 2)
				$oldData[$i-1] = $dataRow[$i+3];
			else
				$oldData[$i-1] = $dataRow[$i];
		}
		$success = true;
		//Check to see if new data matches old data, replace if no
		for($i = 0; $i < count($newData); $i++)
		{
			if($newData[$i] != $oldData[$i])
			{
				switch($i)
				{
					//Rating is changed
					case 0:
						switch((string)$newData[0])
						{
							case 'one': $rating = 1; break;
							case 'two': $rating = 2; break;
							case 'thr': $rating = 3; break;
							case 'four': $rating = 4; break;
							case 'five': $rating = 5; break;
							default: $rating = 0; break;
						}
						$updateQuery = "UPDATE item SET item_rating = '"
							. mysql_real_escape_string($rating)
							. "' WHERE item_id = '" 
							. mysql_real_escape_string($itemId)
							. "';"; 
						break;
					//Item image url is changed
					case 1:
						if($newData[1] == "")
						{
							$updateQuery = 
								"UPDATE item SET item_image_url = NULL"
								. " WHERE item_id = '" 
								. mysql_real_escape_string($itemId)
								. "';";
						}
						//Check to see if its a valid URL
						else if(!isUrl((string)$newData[$i]))
						{
							header('Location: edit_item.php?cname='
							. $collectionName
							. '&id='
							. $itemId
							. '&err=invalid');
							$success = false;
						}
						else
						{
							$updateQuery = "UPDATE item SET item_image_url = '"
								. urlencode((trim($newData[$i])))
								. "' WHERE item_id = '"
								. mysql_real_escape_string($itemId)
								. "';";
						}
						break;
					//Something else is changed
					default:
						//Check to see if input is consistent with type
						switch($attributeTypeArray[$i-2])
						{
							case 'INTEGER':
								//If NULL, insert NULL
								if($newData[$i] == "")
								{
									$updateQuery = "UPDATE "
									. mysql_real_escape_string($collectionName)
									. " SET "
									. mysql_real_escape_string($attributeArray[$i-2])
									. " = NULL WHERE "
									. mysql_real_escape_string(removeUID($collectionName))
									. "_item_id = '"
									. mysql_real_escape_string($itemId)
									. "';";
								}
								//Check to see if input is valid integer
								else if(!isIntegerData($newData[$i]))
								{
									header('Location: edit_item.php?cname='
									. $collectionName
									. '&id='
									. $itemId
									. '&err=invalid');
									$success = false;
								}
								//Normal query
								else
								{
									$updateQuery = "UPDATE "
									. mysql_real_escape_string($collectionName)
									. " SET "
									. mysql_real_escape_string($attributeArray[$i-2])
									. " = '"
									. mysql_real_escape_string($newData[$i])
									. "' WHERE "
									. mysql_real_escape_string(removeUID($collectionName))
									. "_item_id = '"
									. mysql_real_escape_string($itemId)
									. "';";
								}
							break;
							case 'REAL':
								//If input is null, insert NULL
								if($newData[$i] == "")
								{
									$updateQuery = "UPDATE "
									. mysql_real_escape_string($collectionName)
									. " SET "
									. mysql_real_escape_string($attributeArray[$i-2])
									. " = NULL WHERE "
									. mysql_real_escape_string(removeUID($collectionName))
									. "_item_id = '"
									. mysql_real_escape_string($itemId)
									. "';";
								}
								//Check to see if input is valid REAL data
								else if(!isRealData($newData[$i]))
								{
									header('Location: edit_item.php?cname='
									. $collectionName
									. '&id='
									. $itemId
									. '&err=invalid');
									$success = false;
								}
								//Otherwise, do a normal UPDATE
								else
								{
									$updateQuery = "UPDATE "
									. mysql_real_escape_string($collectionName)
									. " SET "
									. mysql_real_escape_string($attributeArray[$i-2])
									. " = '"
									. mysql_real_escape_string($newData[$i])
									. "' WHERE "
									. mysql_real_escape_string(removeUID($collectionName))
									. "_item_id = '"
									. mysql_real_escape_string($itemId)
									. "';";
								}
							break;
							default:
								//If input is null, insert NULL
								if($newData[$i] == "")
								{
									$updateQuery = "UPDATE "
									. mysql_real_escape_string($collectionName)
									. " SET "
									. mysql_real_escape_string($attributeArray[$i-2])
									. " = NULL WHERE "
									. mysql_real_escape_string(removeUID($collectionName))
									. "_item_id = '"
									. mysql_real_escape_string($itemId)
									. "';";
								}
								//Otherwise do a normal UPDATE - no need to check string input
								else
								{
									$updateQuery = "UPDATE "
									. mysql_real_escape_string($collectionName)
									. " SET "
									. mysql_real_escape_string($attributeArray[$i-2])
									. " = '"
									. htmlspecialchars(trim($newData[$i]))
									. "' WHERE "
									. mysql_real_escape_string(removeUID($collectionName))
									. "_item_id = '"
									. mysql_real_escape_string($itemId)
									. "';"; 
								}
								break;
						}
						break;
				}
				if($success)
				{
					if(!$queryResult = mysql_query($updateQuery))
					{
						echo $updateQuery;
						die("Update unsuccessful");
					}
				}
			}
		}
		
		if($success)
			header('Location: collection_item_list.php?colname='.$collectionName);
	}
	else
	{
		unset($_SESSION['user_name']);
		header('Location: index.php?err=denied');
	}
?>
	